Mad March Meltdown! Microsoft's patch for a patch for a patch may need another patch

Updated Days after Microsoft released its third attempt at a fix for the Meltdown security vulnerability in Intel's modern processors, system administrators say many of their 64-bit Windows 7 and Server 2008 R2 boxes are still unable to be properly patched.

Pseudo-anonymous Reg reader Lawrence Birdman, who administers around 120 Windows 7 x64 PCs, says all but four of his machines haven't been able to get the most recent update – the software tweak appearing as "not applicable" for the computers in WSUS (Windows Server Update Services).

The out-of-band emergency update, KB4100480, was released by Microsoft last week to supplement a patch released in early March to address severe vulnerabilities accidentally introduced by Redmond's engineers in their January and February security updates for Meltdown on Windows 7 and Windows Server 2008 R2.

That early March update attempted to kill off security bug CVE-2018-1038, introduced in January's Meltdown patch, but it wasn't entirely effective, hence the need to grab and install KB4100480.

Unfortunately, our reader says, something appears to be wrong with WSUS, and some 116 machines under his care, systems that have both the January and February security updates that contain the vulnerability, are being told they cannot get this latest fix.

"The problem is that they're showing as 'not applicable' for all but 4 of my 120 win7 x64 machines," Birdman told us.

"So even though I've approved the update, it's not getting applied to the machines that need it, because the 'update needed' detection appears to be buggy."

Chocolate teapot

We asked Microsoft about the issue and, in true Redmond fashion, received the following useless statement in response: "The update is available to WSUS customers, who can download and import it into WSUS from the catalog."

Perhaps the patch is being rolled out gradually, so some people aren't getting it, but in any case, the Windows giant can't be bothered explaining, leaving confused customers in the dark.

Other admins are also seeing similar problems: discussion threads on Woody Leonhard's Windows-watching website have popped up on the matter, with many saying that though they realize their machines are in need of the patch for the patch for the patch, they can't seem to get WSUS to apply it.

"Of approximately 200 Windows Server 2008 R2 systems all of which have installed more than at least one of the qualifying Jan-Mar updates, only 18 are showing that KB4100480 is applicable," wrote one techie.

"On top of that, since we do utilize WSUS, nearly all of those 200 systems are patched identically."

Microsoft's next scheduled security release is the April 10 monthly update bundle. ®

Updated to add

Apparently, you have to add KB4091290 to WSUS from the Microsoft Update Catalog first before KB4100480 becomes available. Sigh.

PS: There's now a hot fix available for Windows 7 and Server 2008 R2 users who find the latest security updates knacker their networking settings.